Analysis

  • max time kernel
    192s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2022 17:17

General

  • Target

    Purchase order 781830171.exe

  • Size

    602KB

  • MD5

    94a7ae060dd2244f3e523ef87ac573d5

  • SHA1

    6da1cf7a0e4a708e6c986a810cbe87ac73bbf5e1

  • SHA256

    0d65bd3f562fa127be5f009203fed5b0da090648f61d10d03ded5c89228e3766

  • SHA512

    b079719fc7064d9137b53e078e331a19cf0805fec42a68e2c625af3eea95f0cd6aca84bbf75c46892fe03d35d0b186bd118a3821b77a748eadb663e1e2232f5b

  • SSDEEP

    12288:zsBbFXMFRCMxYTri4ZzEouFxSdBTM09Zq8SblZuuNwApnkGngLr8z6:4jXMbhmT24yoW07q88lZuEnrngLrr

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Users\Admin\AppData\Local\Temp\Purchase order 781830171.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase order 781830171.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Users\Admin\AppData\Local\Temp\wlljbvbd.exe
        "C:\Users\Admin\AppData\Local\Temp\wlljbvbd.exe" "C:\Users\Admin\AppData\Local\Temp\vikaf.au3"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Users\Admin\AppData\Local\Temp\wlljbvbd.exe
          "C:\Users\Admin\AppData\Local\Temp\wlljbvbd.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4280
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3352
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4692

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bzsjwac.vy

      Filesize

      88KB

      MD5

      67dca33ac008f0e2ac4b9d15feaf3a29

      SHA1

      d641f638dd1cb298b9051993b59fef4d7957cf89

      SHA256

      ba0d7c863884b26cc510fbc2da2cefb70f5fa9454906873e9bcfab35fab48271

      SHA512

      860a1c2fdd9bc6e8b1998c7eb9b934ee3b04f435596637aa4c9994623b34fef96cc0a87e5cf7ccc7c1e9c97abf3c3c35cec7f1d937dcd3dfb47f064bb4647909

    • C:\Users\Admin\AppData\Local\Temp\nlchvqplaqp.f

      Filesize

      185KB

      MD5

      ab2fa9b3dcdfd2161b851d99d52723d4

      SHA1

      934665b0033865165cc46989b66f753c81df54d3

      SHA256

      81c13b87579bcd37a0875d6eaf4369c9a762fb5a1bc180b498a5457587334b22

      SHA512

      2a520d53722a9d6135a3cf2b38a73e48e92916b5f5623ddf803df467403a44801922b1d5dd35e4b80edc4507a3eadaafadef82c3455aa5891a99d48ae8f02de4

    • C:\Users\Admin\AppData\Local\Temp\vikaf.au3

      Filesize

      6KB

      MD5

      866534baecedd53196af71713c36b65e

      SHA1

      d05b9466d481ca8d3be3a190b85af494fccd9406

      SHA256

      e772631fbcae9b3d339a9556899a5d44194ab2acdb061cb081514e94c92c18e6

      SHA512

      6947781c62d388da05e02621fa8696547f8bbaae3e1168afbaf1e9114c42c254f1344a3ad746357c6c98e191495291724ba1c09c987d43b83b8514d5c33f5ae6

    • C:\Users\Admin\AppData\Local\Temp\wlljbvbd.exe

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • C:\Users\Admin\AppData\Local\Temp\wlljbvbd.exe

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • C:\Users\Admin\AppData\Local\Temp\wlljbvbd.exe

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • memory/512-144-0x0000000002F80000-0x0000000003030000-memory.dmp

      Filesize

      704KB

    • memory/512-153-0x0000000008710000-0x0000000008827000-memory.dmp

      Filesize

      1.1MB

    • memory/512-151-0x0000000008710000-0x0000000008827000-memory.dmp

      Filesize

      1.1MB

    • memory/512-149-0x0000000002F80000-0x0000000003030000-memory.dmp

      Filesize

      704KB

    • memory/3352-147-0x00000000009C0000-0x00000000009ED000-memory.dmp

      Filesize

      180KB

    • memory/3352-146-0x0000000000820000-0x0000000000839000-memory.dmp

      Filesize

      100KB

    • memory/3352-148-0x0000000002BB0000-0x0000000002EFA000-memory.dmp

      Filesize

      3.3MB

    • memory/3352-150-0x0000000002A50000-0x0000000002ADF000-memory.dmp

      Filesize

      572KB

    • memory/3352-152-0x00000000009C0000-0x00000000009ED000-memory.dmp

      Filesize

      180KB

    • memory/4280-143-0x00000000001F0000-0x0000000000200000-memory.dmp

      Filesize

      64KB

    • memory/4280-142-0x0000000000180000-0x00000000001AF000-memory.dmp

      Filesize

      188KB

    • memory/4280-141-0x0000000000F90000-0x00000000012DA000-memory.dmp

      Filesize

      3.3MB

    • memory/4440-136-0x0000000000CC0000-0x0000000000CC3000-memory.dmp

      Filesize

      12KB